WordPress 4.8.2 comes with fixes for 9 vulnerabilities, but refuses to fix CVE-2017-8295

On 19 Sep, 2017, WordPress 4.8.2 was released to the public. Nine high security issues are fixed but Core Team still refuses to fix CVE-2017-8295 - Host Header Attack Vulnerability. 36 millions of websites affected.

$wpdb->prepare()can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported bySlavco.

A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.